Fix security driver handling of FIFOs with QEMU

When setting up a FIFO for QEMU, it allows either a pair
of fifos used unidirectionally, or a single fifo used
bidirectionally. Look for the bidirectional fifo first
when labelling since that is more useful

* src/security/security_dac.c,
  src/security/security_selinux.c: Fix fifo handling

diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index fba2d1ddbf68a1223480a6ff54bf8b9df086236f..b8642d2d72a1eaac3015f59e89224728a2df739d 100644 (file)
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -406,14 +406,19 @@ virSecurityDACSetChardevLabel(virSecurityManagerPtr mgr,
         break;
 
     case VIR_DOMAIN_CHR_TYPE_PIPE:
-        if ((virAsprintf(&in, "%s.in", dev->data.file.path) < 0) ||
-            (virAsprintf(&out, "%s.out", dev->data.file.path) < 0)) {
-            virReportOOMError();
-            goto done;
+        if (virFileExists(dev->data.file.path)) {
+            if (virSecurityDACSetOwnership(dev->data.file.path, priv->user, priv->group) < 0)
+                goto done;
+        } else {
+            if ((virAsprintf(&in, "%s.in", dev->data.file.path) < 0) ||
+                (virAsprintf(&out, "%s.out", dev->data.file.path) < 0)) {
+                virReportOOMError();
+                goto done;
+            }
+            if ((virSecurityDACSetOwnership(in, priv->user, priv->group) < 0) ||
+                (virSecurityDACSetOwnership(out, priv->user, priv->group) < 0))
+                goto done;
         }
-        if ((virSecurityDACSetOwnership(in, priv->user, priv->group) < 0) ||
-            (virSecurityDACSetOwnership(out, priv->user, priv->group) < 0))
-            goto done;
         ret = 0;
         break;
 

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index d8706163cc98bfffc53bfd072d233fc820f75017..0ce999f9fec1ec4269d8c5a49a053f6147ccded9 100644 (file)
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -733,14 +733,19 @@ SELinuxSetSecurityChardevLabel(virDomainObjPtr vm,
         break;
 
     case VIR_DOMAIN_CHR_TYPE_PIPE:
-        if ((virAsprintf(&in, "%s.in", dev->data.file.path) < 0) ||
-            (virAsprintf(&out, "%s.out", dev->data.file.path) < 0)) {
-            virReportOOMError();
-            goto done;
+        if (virFileExists(dev->data.file.path)) {
+            if (SELinuxSetFilecon(dev->data.file.path, secdef->imagelabel) < 0)
+                goto done;
+        } else {
+            if ((virAsprintf(&in, "%s.in", dev->data.file.path) < 0) ||
+                (virAsprintf(&out, "%s.out", dev->data.file.path) < 0)) {
+                virReportOOMError();
+                goto done;
+            }
+            if ((SELinuxSetFilecon(in, secdef->imagelabel) < 0) ||
+                (SELinuxSetFilecon(out, secdef->imagelabel) < 0))
+                goto done;
         }
-        if ((SELinuxSetFilecon(in, secdef->imagelabel) < 0) ||
-            (SELinuxSetFilecon(out, secdef->imagelabel) < 0))
-            goto done;
         ret = 0;
         break;